Skip to Content
Edit on GitHub

Environment Variables

This page is the deployment reference for LearnHouse environment variables. The backend loads apps/api/config/config.yaml first, then overrides matching settings from the environment. The web app reads NEXT_PUBLIC_* values from runtime config or process.env. The CLI-generated .env file is the recommended way to configure a self-hosted instance.

Values shown as “required” have no safe production fallback. Values shown as “unset” are optional: the feature stays disabled or uses a runtime fallback when the variable is missing.

Instance and hosting

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_SITE_NAMEInstance name returned by the API.stringLearnHouseAPI
LEARNHOUSE_SITE_DESCRIPTIONShort instance description returned by the API.stringLearnHouse is an open-source platform tailored for learning experiences.API
LEARNHOUSE_CONTACT_EMAILContact email for the instance.emailhi@learnhouse.appAPI
LEARNHOUSE_ENVEnvironment label for backend and Sentry reporting.stringdevAPI, Web
LEARNHOUSE_DEVELOPMENT_MODEEnables development-only API behavior such as docs routes and EE dev override.booleanfalseAPI, CLI
LEARNHOUSE_SAASEnables SaaS deployment mode, plan gating, and platform endpoint warnings.booleanfalseAPI
LEARNHOUSE_SELF_HOSTEDLegacy self-hosting flag used in tenancy inference. Prefer LEARNHOUSE_TENANCY. Parsed loosely: any non-empty value (including the string false) enables it, so leave it unset to keep it off.boolean-like stringunset (off)API
LEARNHOUSE_USE_DEFAULT_ORGLegacy default-org flag used in tenancy inference. Prefer LEARNHOUSE_TENANCY. Parsed loosely: any non-empty value (including the string false) enables it, so leave it unset to keep it off.boolean-like stringunset (off)API
LEARNHOUSE_TENANCYSelects single host tenancy or multi subdomain tenancy. Multi-tenancy requires EE or SaaS mode.enum: single, multisingle unless inferred as multi-tenantAPI, EE CLI
LEARNHOUSE_DOMAINPublic domain used for org routing, cookie decisions, and custom-domain CNAME targets. Include the port for local development.hostnamelocalhost:3000API, CLI
LEARNHOUSE_FRONTEND_DOMAINFrontend host used by the API when it needs the public frontend domain separately from the backend host.hostnamelocalhost:3000API, EE CLI
LEARNHOUSE_SSLBackend-side SSL flag for generated URLs and hosting config.booleanfalseAPI
LEARNHOUSE_PORTBackend port. Local config defaults to 1338; the production CLI template emits 9000.integer1338 locally, 9000 in generated Docker installsAPI, CLI, API container
LEARNHOUSE_ALLOWED_ORIGINSComma-separated CORS allowlist.CSV of URLshttp://localhost:3000,http://localhost:3001API
LEARNHOUSE_ALLOWED_REGEXPAdditional CORS origin regex used by multi-tenant deployments.regex string\b((?:https?://)[^\s/$.?#].[^\s]*)\bAPI
LEARNHOUSE_COOKIE_DOMAINCookie domain for auth cookies. Use a leading dot only when subdomains must share auth.hostname.localhostAPI, CLI
LEARNHOUSE_COOKIE_DOMAIN_ALLOW_BROADAcknowledges intentionally broad cookie domains such as .example.com and silences the safety warning.booleanfalseAPI, EE CLI
LEARNHOUSE_CUSTOM_DOMAIN_DEV_MODESkips DNS verification for all custom domains and marks them verified immediately. Development/testing only.booleanfalseAPI
LEARNHOUSE_PUBLICDocker build argument that produces a community build by excluding non-community code.booleanfalseDockerfiles (root, API, Web)
LEARNHOUSE_PLATFORM_URLBase URL for LearnHouse platform links, upgrade URLs, and email allowlist checks.URLunset; backend flows fall back to https://www.learnhouse.app and the web token-exchange to https://learnhouse.appAPI, Web
LEARNHOUSE_PLATFORM_API_KEYShared secret for platform-only internal endpoints such as packs.secret stringrequired for SaaS/platform endpointsAPI
CLOUD_INTERNAL_KEYShared secret for SaaS-internal endpoints (custom-domain sync and the cloud_internal router). When unset, those endpoints reject every request and the API logs a startup warning.secret stringunset; required for SaaS custom-domain provisioningAPI

Database, Redis, and collaboration

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_SQL_CONNECTION_STRINGPostgreSQL connection string for the API and Alembic migrations.PostgreSQL URLpostgresql://learnhouse:learnhouse@localhost:5432/learnhouse; production installs should set itAPI, API migrations, CLI
LEARNHOUSE_DB_URLFallback database URL for the standalone apps/api/scripts/migrate.py migration helper when DATABASE_URL is unset.PostgreSQL URLpostgresql://learnhouse:learnhouse@localhost:5432/learnhouseAPI migration script
LEARNHOUSE_PGBOUNCERForces PgBouncer/Supavisor-safe asyncpg settings even when the URL does not reveal a pooler.booleanfalseAPI
LEARNHOUSE_REDIS_CONNECTION_STRINGRedis URL for the API cache/session/event clients.Redis URLredis://localhost:6379/learnhouseAPI, CLI
LEARNHOUSE_REDIS_URLRedis URL for the collaboration server.Redis URLredis://localhost:6379; CLI setup emits redis://redis:6379Collab, CLI
LEARNHOUSE_API_URLAPI base URL used by the collaboration server.URLhttp://localhost:8000; generated compose sets http://localhost:9000Collab, CLI

Security, setup, and auth

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_AUTH_JWT_SECRET_KEYJWT signing key shared by the API and collaboration server. Must be at least 32 characters.secret stringrequiredAPI, Collab, CLI
LEARNHOUSE_INITIAL_ADMIN_EMAILInitial admin email used by the API install command and generated .env files.emailadmin@school.dev for the API install command; CLI setup writes the chosen emailAPI, CLI
LEARNHOUSE_INITIAL_ADMIN_PASSWORDInitial admin password used by the API install command and generated .env files.secret stringrequired for install/bootstrapAPI, CLI
LEARNHOUSE_INITIAL_ORG_NAMEInitial organization display name used during install.stringDefault OrganizationAPI, CLI
LEARNHOUSE_INITIAL_ORG_SLUGInitial organization slug used during install.slug stringdefaultAPI, CLI
LEARNHOUSE_GOOGLE_CLIENT_IDGoogle OAuth client ID used by web auth proxy routes.stringunset unless Google OAuth is enabledWeb, CLI
LEARNHOUSE_GOOGLE_CLIENT_SECRETGoogle OAuth client secret used by the web token exchange route.secret stringunset unless Google OAuth is enabledWeb, CLI
LEARNHOUSE_GOOGLE_OAUTH_CLIENT_IDExpected Google OAuth audience for backend ID-token validation. If unset, audience verification is disabled with a warning.stringunsetAPI

Web runtime

VariableDescriptionTypeDefault / requiredUsed by
NEXT_PUBLIC_LEARNHOUSE_API_URLExplicit API URL for frontend API calls. If unset, the web app derives it from NEXT_PUBLIC_LEARNHOUSE_BACKEND_URL.URLderived as {backend}/api/v1/Web, CLI
NEXT_PUBLIC_LEARNHOUSE_BACKEND_URLBackend base URL used by the web app and server-side auth proxy routes.URLhttp://localhost/ in config helpers; local dev checker writes http://localhost:1338/Web, CLI
NEXT_PUBLIC_LEARNHOUSE_DOMAINPublic frontend domain. The web app can also fall back to runtime cookies set by the backend.hostnamelocalhost or runtime cookie fallbackWeb, CLI
NEXT_PUBLIC_LEARNHOUSE_TOP_DOMAINTop-level/root domain used for cookie and subdomain helpers.hostnamederived from NEXT_PUBLIC_LEARNHOUSE_DOMAIN when unsetWeb, CLI
NEXT_PUBLIC_LEARNHOUSE_MULTI_ORGLegacy public multi-org flag generated by the CLI. Backend LEARNHOUSE_TENANCY is authoritative for current behavior.booleanfalseCLI, legacy Web config
NEXT_PUBLIC_LEARNHOUSE_DEFAULT_ORGDefault organization slug used by frontend routing fallbacks.slug stringdefaultWeb, CLI
NEXT_PUBLIC_LEARNHOUSE_HTTPSSelects https:// instead of http:// in frontend URL helpers.booleanfalseWeb, CLI
NEXT_PUBLIC_LEARNHOUSE_MEDIA_URLBase URL for direct media links. If unset, media URLs use the backend URL.URLunset, falls back to backend URLWeb
NEXT_PUBLIC_UNSPLASH_ACCESS_KEYUnsplash API access key for the in-editor Unsplash image picker (course thumbnails, board/community thumbnails, editor image blocks, and more). The picker still renders when unset, but Unsplash searches return nothing.stringunsetWeb, CLI
NEXT_PUBLIC_LEARNHOUSE_PLATFORM_URLBrowser-safe platform base URL for upgrade and auth exchange flows.URLunsetWeb
NEXT_PUBLIC_LEARNHOUSE_SENTRY_DSNBrowser/server Sentry DSN for the web app.URLunsetWeb
NEXT_PUBLIC_LEARNHOUSE_ENVWeb Sentry environment label.stringdevWeb

AI

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_IS_AI_ENABLEDMaster switch for AI features.booleanfalseAPI, CLI
LEARNHOUSE_GEMINI_API_KEYLegacy Google/Gemini key and fallback embeddings key for providers without embeddings.secret stringunsetAPI, CLI
LEARNHOUSE_AI_PROVIDERProvider for generation: google, openai, anthropic, deepseek, moonshot, mistral, openrouter, bedrock, ollama, or another supported Pydantic AI provider.stringgoogleAPI
LEARNHOUSE_AI_API_KEYAPI key for the selected AI provider. Not required for ollama; optional for bedrock.secret stringunset; required for most providersAPI
LEARNHOUSE_AI_BASE_URLCustom endpoint for OpenAI-compatible or local providers.URLunset; Ollama falls back to http://localhost:11434/v1API
LEARNHOUSE_AI_MODEL_FASTLow-latency model tier for titles, follow-ups, and migration tasks.model idgemini-3.1-flash-liteAPI
LEARNHOUSE_AI_MODEL_STANDARDStandard model tier for chat, RAG, and standard-plan generation.model idgemini-3.5-flashAPI
LEARNHOUSE_AI_MODEL_PROPro model tier for upgraded course planning and generation flows.model idgemini-3.1-pro-previewAPI
LEARNHOUSE_AI_EMBEDDING_PROVIDEROptional provider override for RAG embeddings.stringsame as LEARNHOUSE_AI_PROVIDERAPI
LEARNHOUSE_AI_EMBEDDING_MODELOptional embedding model override.model idprovider default, such as gemini-embedding-001, text-embedding-3-small, or nomic-embed-textAPI
LEARNHOUSE_AI_EMBEDDING_DIMENSIONSEmbedding vector size. Changing this requires a matching database migration and re-index.integer768API

Email

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_EMAIL_PROVIDEROutbound email provider.enum: resend, smtpresendAPI, CLI
LEARNHOUSE_RESEND_API_KEYResend API key when LEARNHOUSE_EMAIL_PROVIDER=resend.secret stringunset; required to send via ResendAPI, CLI
LEARNHOUSE_SYSTEM_EMAIL_ADDRESSSender address for system email.emailunset; CLI setup can emit noreply@{domain}API, CLI
LEARNHOUSE_SMTP_HOSTSMTP server hostname when LEARNHOUSE_EMAIL_PROVIDER=smtp.hostnameunsetAPI, CLI
LEARNHOUSE_SMTP_PORTSMTP server port.integer587API, CLI
LEARNHOUSE_SMTP_USERNAMESMTP authentication username.stringunsetAPI, CLI
LEARNHOUSE_SMTP_PASSWORDSMTP authentication password.secret stringunsetAPI, CLI
LEARNHOUSE_SMTP_USE_TLSEnables TLS for SMTP.booleantrueAPI, CLI

Content storage

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_CONTENT_DELIVERY_TYPEStorage backend for uploaded content.enum: filesystem, s3apifilesystemAPI, CLI
LEARNHOUSE_S3_API_BUCKET_NAMES3-compatible bucket name when using s3api.stringunset; required for S3 storageAPI, CLI
LEARNHOUSE_S3_API_ENDPOINT_URLS3-compatible endpoint URL. Leave unset for provider defaults where supported.URLunsetAPI, CLI

Payments

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_STRIPE_SECRET_KEYStripe secret key.secret stringunsetAPI
LEARNHOUSE_STRIPE_PUBLISHABLE_KEYStripe publishable key.stringunsetAPI
LEARNHOUSE_STRIPE_WEBHOOK_STANDARD_SECRETSigning secret for the standard Stripe webhook endpoint.secret stringunsetAPI
LEARNHOUSE_STRIPE_WEBHOOK_CONNECT_SECRETSigning secret for the Stripe Connect webhook endpoint.secret stringunsetAPI
LEARNHOUSE_STRIPE_CLIENT_IDStripe Connect OAuth client ID.stringunsetAPI

Code execution and analytics

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_JUDGE0_API_URLJudge0 API URL. Setting it enables code execution routes.URLunsetAPI
LEARNHOUSE_JUDGE0_CLIENT_IDOptional Judge0 client ID.stringunsetAPI
LEARNHOUSE_JUDGE0_CLIENT_SECRETOptional Judge0 client secret.secret stringunsetAPI
LEARNHOUSE_TINYBIRD_API_URLTinybird regional API URL. Setting it enables analytics config.URLunsetAPI
LEARNHOUSE_TINYBIRD_INGEST_TOKENTinybird token with ingest/write permissions.secret stringunset; required for event ingestionAPI
LEARNHOUSE_TINYBIRD_READ_TOKENTinybird token with read/query permissions.secret stringunset; required for analytics readsAPI

Observability

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_SENTRY_DSNBackend Sentry DSN; also used by the web edge Sentry config as a non-public fallback.URLunsetAPI, Web edge
LEARNHOUSE_LOGFIRE_ENABLEDCLI-generated Logfire flag. The current OSS runtime does not read it directly.booleanFalse in CLI-generated .envCLI

Enterprise and development controls

VariableDescriptionTypeDefault / requiredUsed by
LEARNHOUSE_LICENSE_KEYEnterprise license key. Validated by the EE backend at runtime; the CLI passes it through during install/update.secret stringrequired for EE installs and updatesEE backend, EE CLI
LEARNHOUSE_LICENSE_SERVER_URLEnterprise license server URL.URLhttps://partners.learnhouse.appEE backend, EE CLI
LEARNHOUSE_LICENSE_GRACE_HOURSOffline grace period (hours) the EE backend allows before an unvalidated license is rejected.integer25 (max 168)EE backend
LEARNHOUSE_DATA_DIRData directory path inside the Enterprise backend container.path/app/dataEE backend container
LEARNHOUSE_DISABLE_EEDisables local Enterprise hooks even if the ee/ folder exists.boolean-like stringunset; CLI dev sets 1 unless --ee is usedAPI, CLI dev
LEARNHOUSE_FORCE_EEForces EE mode during development when EE code is present. Ignored unless development mode is enabled.boolean-like stringunsetAPI, CLI dev
WORKOS_API_KEYWorkOS API key for Enterprise SSO. Required (with WORKOS_CLIENT_ID) to enable WorkOS-backed SSO.secret stringunset; required for SSOEE backend
WORKOS_CLIENT_IDWorkOS client ID for Enterprise SSO.stringunset; required for SSOEE backend
SSO_REDIRECT_URIFull SSO callback URL override. When set, it is used as-is.URLunset; derived from SSO_REDIRECT_URI_BASE / the configured domainEE backend
SSO_REDIRECT_URI_BASEBase URL used to build the SSO callback when SSO_REDIRECT_URI is not set.URLunset; falls back to LEARNHOUSE_DOMAIN, then to http://localhost:4000EE backend

These variables do not use the LEARNHOUSE_ prefix, but the CLI writes them into the same .env file and several services require them.

VariableDescriptionTypeDefault / requiredUsed by
HTTP_PORTPublic HTTP port chosen during CLI setup.integersetup choiceCLI-generated compose
NEXTAUTH_URLBase URL for NextAuth-compatible auth helpers.URLgenerated from the configured domainCLI, doctor
NEXTAUTH_SECRETSecret used by NextAuth-compatible auth helpers.secret stringgenerated by CLI setupCLI, doctor
COLLAB_INTERNAL_KEYShared key for API-to-collaboration-server internal auth.secret stringrequired for dev and production collab authAPI, Collab, CLI
NEXT_PUBLIC_COLLAB_URLPublic WebSocket URL for the collaboration server.WebSocket URLgenerated from the configured domainWeb, CLI
COLLAB_PORTLocal collaboration server port.integer4000 in local dev checkerCollab, CLI dev
COLLAB_TRUST_PROXYSet to true when the collaboration server runs behind a reverse proxy so client IPs (used for WebSocket rate limiting) are read from X-Forwarded-For.booleanfalseCollab
POSTGRES_USERPostgreSQL user for generated non-external database installs.stringlearnhouseCLI-generated compose
POSTGRES_PASSWORDPostgreSQL password for generated non-external database installs.secret stringgenerated by CLI setupCLI-generated compose
POSTGRES_DBPostgreSQL database name for generated non-external database installs.stringlearnhouseCLI-generated compose

Full example

.env
# Domain and hosting
LEARNHOUSE_DOMAIN=learn.example.com
HTTP_PORT=443
NEXT_PUBLIC_LEARNHOUSE_BACKEND_URL=https://learn.example.com/
NEXT_PUBLIC_LEARNHOUSE_API_URL=https://learn.example.com/api/v1/
NEXT_PUBLIC_LEARNHOUSE_DOMAIN=learn.example.com
NEXT_PUBLIC_LEARNHOUSE_TOP_DOMAIN=example.com
NEXT_PUBLIC_LEARNHOUSE_HTTPS=true
NEXT_PUBLIC_LEARNHOUSE_DEFAULT_ORG=default

# Backend
LEARNHOUSE_SQL_CONNECTION_STRING=postgresql://learnhouse:change-me@db:5432/learnhouse
LEARNHOUSE_REDIS_CONNECTION_STRING=redis://redis:6379/learnhouse
LEARNHOUSE_COOKIE_DOMAIN=.example.com
LEARNHOUSE_PORT=9000

# Security and bootstrap
LEARNHOUSE_AUTH_JWT_SECRET_KEY=replace-with-at-least-32-random-characters
LEARNHOUSE_INITIAL_ADMIN_EMAIL=admin@example.com
LEARNHOUSE_INITIAL_ADMIN_PASSWORD=change-this-password
LEARNHOUSE_INITIAL_ORG_NAME=Default Organization
LEARNHOUSE_INITIAL_ORG_SLUG=default

# Collaboration
COLLAB_INTERNAL_KEY=replace-with-random-shared-secret
LEARNHOUSE_REDIS_URL=redis://redis:6379
NEXT_PUBLIC_COLLAB_URL=wss://learn.example.com/collab

# AI, email, and storage
LEARNHOUSE_IS_AI_ENABLED=False
LEARNHOUSE_EMAIL_PROVIDER=resend
LEARNHOUSE_CONTENT_DELIVERY_TYPE=filesystem